Does "Shadow IT" Lurk in Your Company?

Business divisions are bypassing the IT department, making their own decisions to buy cloud-based application services or use mobile devices, raising the specter of so-called "shadow IT" that's outside the knowledge or control of the CIO and the IT staff.

Business divisions are bypassing the IT department, making their own decisions to buy cloud-based application services or use mobile devices, raising the specter of so-called "shadow IT" that's outside the knowledge or control of the CIO and the IT staff.

"The data is suddenly not in the organization anymore," says Chris Curran, principal for technology strategy and innovation at the PricewaterhouseCoopers (PwC) consultancy, about the aftershock that can come when IT finds out that business managers found it quite simple to pay for sophisticated kinds of cloud-based applications for sales and customer relationship management without telling IT.

In the old days, such actions -- usually about rogue wireless LANs or websites that business units set up -- would have been considered serious negative behavior that warranted a "play by the rules" lecture at the very least. But today, Curran says, the CIO and the IT staff are in a very different spot than they were in 10 years ago, and they have to take a hard look at why shadow IT is happening -- and it may be for a valid reason.

Based on its own analysis, including the "Raising Your Digital IQ" survey of 500 U.S. companies with annual revenues of about $500 million, PwC estimates that somewhere between 15% up to 30% of IT spending now occurs outside the standard consolidated budget of the IT department. Sometimes it's wholly unknown to IT staff and sometimes it's not, though IT isn't exactly consulted. Cloud services buying, in particular, is today a major factor in spending outside "the processes and procurement practices of IT," says Curran. Complications ensue when the business managers, after their shadow IT decisions for cloud services, later go to the IT department with demands to integrate enterprise data with what has become cloud-based data in order to do analytics or for other purposes.

Curran argues that this shadow IT issue is only going to grow for the enterprise IT department. The business unit may have made a decision to go around IT because they consider it too slow, or managing a CRM application they don't feel is optimum anymore for the business. Other services, like file-sharing services the IT department finds out business people are using, are likely to cause concern about security or compliance, too. But the CIO has to strive to "partner with the CFO to get visibility into this type of expenditure," says Curran. "Someone needs to have the enterprise view." In the end, the IT department may have to adopt to a changing role, he notes.

Andrzej Kawalec, global chief technology officer of Enterprise Security Services at HP, agrees shadow IT is a significant issue, though he doesn't think it's necessarily as pervasive as PwC sees it. But he does agree, "It's one of the biggest challenges to IT."

He says business units often make these direct IT buying decisions out of a sense they have to move fast to reach new channels or markets. "This is often based on a clear business mandate and logic." But there are often "hidden costs" in managing data after a shadow IT project has occurred, he points out. Resources become more and more fragmented and spread out or "misaligned." One top concern in shadow IT will certainly be security and compliance of data.

"You're introducing a lot of new risk into the system," he says, noting that the chief information security officer (CISO) or the chief security officer (CSO) in the enterprise has a clear role to play when it comes to shadow IT.

"One of the main roles of the CISO is to call out these behaviors," Kawalec says. They have to figure out what is going on and analyze it, and report findings about the security and compliance implications of shadow IT to the chief executive and the board of the corporation, where final decisions need to be made. "Shadow IT cannot be played out in the shadows," Kawalec concludes. "Someone has to shine a light on what's outside the norm."